With PCI DSS requiring penetration testing, it has become not only imperative to become compliant but also to remain in compliance.

With that in mind, I'm proud to add Dr. Anton Chuvakin to our esteemed list of contributors to EH-Net. Formerly of Qualys, Dr. Chuvakin is an expert in PCI and shares some valuable information on staying compliant. He even has a very neatly compiled To-Do List.

Lately, a lot of security industry discussions have been focused on PCI DSS (Payment Card Industry Data Security Standard). The conversation ranges from practical advice on “how to get compliant” all the way to branding PCI as a devilish invention (Google for “PCI is the devil”). Fiery debates aside, PCI DSS guidance helped countless organizations to see the light of security where there was none before. It goes without saying that it didn’t magically make them “become secure” – no external document can.

One of the frequent criticisms of PCI focuses on the misguided view that “PCI is all about passing an ‘audit’.” Many people would be surprised to find out that PCI DSS lists specific tasks that you have to be doing all the time – NOT just before the assessment. This article focuses on the exact steps organizations must take to actually stay compliant and not just pass validation via scanning, on-site assessment or self-assessment questionnaire (SAQ).

Let us know what you think or if you have requests for specific articles on PCI that you'd like Dr. Chuvakin to write.